An update for pam is now available for openEuler-22.03-LTS-SP1,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-2501 Final 1.0 1.0 2024-12-06 Initial 2024-12-06 2024-12-06 openEuler SA Tool V1.0 2024-12-06 pam security update An update for pam is now available for openEuler-22.03-LTS-SP1,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4 PAM (Pluggable Authentication Modules) is a system of libraries that handle the authentication tasks of applications (services) on the system. Security Fix(es): A vulnerability was found in pam_access due to the improper handling of tokens in access.conf, interpreted as hostnames. This flaw allows attackers to bypass access restrictions by spoofing hostnames, undermining configurations designed to limit access to specific TTYs or services. The flaw poses a risk in environments relying on these configurations for local access control.(CVE-2024-10963) An update for pam is now available for openEuler-22.03-LTS-SP1,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High pam https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2501 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-10963 https://nvd.nist.gov/vuln/detail/CVE-2024-10963 openEuler-22.03-LTS-SP1 openEuler-24.03-LTS openEuler-22.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-20.03-LTS-SP4 pam-help-1.5.2-9.oe2203sp1.noarch.rpm pam-help-1.5.3-5.oe2403.noarch.rpm pam-help-1.5.2-9.oe2203sp4.noarch.rpm pam-help-1.5.2-9.oe2203sp3.noarch.rpm pam-help-1.4.0-12.oe2003sp4.noarch.rpm pam-1.5.2-9.oe2203sp1.aarch64.rpm pam-debuginfo-1.5.2-9.oe2203sp1.aarch64.rpm pam-debugsource-1.5.2-9.oe2203sp1.aarch64.rpm pam-devel-1.5.2-9.oe2203sp1.aarch64.rpm pam-1.5.3-5.oe2403.aarch64.rpm pam-debuginfo-1.5.3-5.oe2403.aarch64.rpm pam-debugsource-1.5.3-5.oe2403.aarch64.rpm pam-devel-1.5.3-5.oe2403.aarch64.rpm pam-1.5.2-9.oe2203sp4.aarch64.rpm pam-debuginfo-1.5.2-9.oe2203sp4.aarch64.rpm pam-debugsource-1.5.2-9.oe2203sp4.aarch64.rpm pam-devel-1.5.2-9.oe2203sp4.aarch64.rpm pam-1.5.2-9.oe2203sp3.aarch64.rpm pam-debuginfo-1.5.2-9.oe2203sp3.aarch64.rpm pam-debugsource-1.5.2-9.oe2203sp3.aarch64.rpm pam-devel-1.5.2-9.oe2203sp3.aarch64.rpm pam-1.4.0-12.oe2003sp4.aarch64.rpm pam-debuginfo-1.4.0-12.oe2003sp4.aarch64.rpm pam-debugsource-1.4.0-12.oe2003sp4.aarch64.rpm pam-devel-1.4.0-12.oe2003sp4.aarch64.rpm pam-1.5.2-9.oe2203sp1.src.rpm pam-1.5.3-5.oe2403.src.rpm pam-1.5.2-9.oe2203sp4.src.rpm pam-1.5.2-9.oe2203sp3.src.rpm pam-1.4.0-12.oe2003sp4.src.rpm pam-1.5.2-9.oe2203sp1.x86_64.rpm pam-debuginfo-1.5.2-9.oe2203sp1.x86_64.rpm pam-debugsource-1.5.2-9.oe2203sp1.x86_64.rpm pam-devel-1.5.2-9.oe2203sp1.x86_64.rpm pam-1.5.3-5.oe2403.x86_64.rpm pam-debuginfo-1.5.3-5.oe2403.x86_64.rpm pam-debugsource-1.5.3-5.oe2403.x86_64.rpm pam-devel-1.5.3-5.oe2403.x86_64.rpm pam-1.5.2-9.oe2203sp4.x86_64.rpm pam-debuginfo-1.5.2-9.oe2203sp4.x86_64.rpm pam-debugsource-1.5.2-9.oe2203sp4.x86_64.rpm pam-devel-1.5.2-9.oe2203sp4.x86_64.rpm pam-1.5.2-9.oe2203sp3.x86_64.rpm pam-debuginfo-1.5.2-9.oe2203sp3.x86_64.rpm pam-debugsource-1.5.2-9.oe2203sp3.x86_64.rpm pam-devel-1.5.2-9.oe2203sp3.x86_64.rpm pam-1.4.0-12.oe2003sp4.x86_64.rpm pam-debuginfo-1.4.0-12.oe2003sp4.x86_64.rpm pam-debugsource-1.4.0-12.oe2003sp4.x86_64.rpm pam-devel-1.4.0-12.oe2003sp4.x86_64.rpm A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals. 2024-12-06 CVE-2024-10963 openEuler-22.03-LTS-SP1 openEuler-24.03-LTS openEuler-22.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-20.03-LTS-SP4 High 7.4 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N pam security update 2024-12-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2501